Modified computer motherboard security and identification system
First Claim
1. An identification and security system for a personal computer having an operating system, said identification and security system comprising:
- a) a motherboard modified to include a security engine and enabling and disabling logic coupled to the security engine;
b) a basic input output system (BIOS) coupled to said motherboard, said BIOS modified to allow a microprocessor within the security engine to take over control of a microprocessor for the personal computer coupled to the motherboard;
c) a device driver layer (DDL) portion of said operating system modified to;
1. prevent loading of device drivers unless an authorization code is present in an internal memory of said security engine;
2. intercept all read and write operations to allow encryption and decryption of all data input to and output from said personal computer;
d) a smart card reader coupled to said security engine for reading a smart card, said smart card for providing said authorization code.
1 Assignment
0 Petitions
Accused Products
Abstract
A ‘personalized’ computer with a unique encrypted digital signature which will not boot up or recognize any data storage or communication peripheral devices without a matching ‘personalized’ smart card containing a complementary encrypted digital signature. A modified BIOS (Basic Input Output System) replaces the standard BIOS of a motherboard and allows a security engine microprocessor to take over preboot control of the computer from the motherboard CPU (Central Processing Unit), configures and operates the encryption-based security system, and enables or disables selected data storage devices and other user selectable peripherals upon start up and shut down of the computer. This use of a modified BIOS also allows this invention to work with any operating system or computer microprocessor chipset. The enabling or disabling of peripheral devices involves the use of special enabling/disabling circuits and a procedure for checking the security engine for the presence of an encrypted list of allowed peripheral devices before any particular device driver will be operational. A modified DDL (Device Driver Layer), loaded in the hard drive of the computer as part of the resident O/S (Operating System) of the computer, and memory buffer circuits allows a real time encryption system to be in place for any communication or data storage device. A data encryption engine in the security engine microprocessor allows encryption and decryption of all data stored in data storage devices, including the smart card, and moved through communication devices such as a modem. Upon power up, reset or interrupt of the computer, the microprocessor looks for, and if present, reads from the smart card in the smart card reader which is logically connected to the security engine microprocessor. A software program compares a unique digital signature placed in the smart card to a digital signature assigned to the computer. If these two digital signatures are complementary, the boot up procedure is allowed to continue and access to the computer allowed up to a predetermined level depending on the level of access configured on the smart card. This invention can also be used to allow identification and authentication of the computer and its user in networks.
302 Citations
24 Claims
-
1. An identification and security system for a personal computer having an operating system, said identification and security system comprising:
-
a) a motherboard modified to include a security engine and enabling and disabling logic coupled to the security engine;
b) a basic input output system (BIOS) coupled to said motherboard, said BIOS modified to allow a microprocessor within the security engine to take over control of a microprocessor for the personal computer coupled to the motherboard;
c) a device driver layer (DDL) portion of said operating system modified to;
1. prevent loading of device drivers unless an authorization code is present in an internal memory of said security engine;
2. intercept all read and write operations to allow encryption and decryption of all data input to and output from said personal computer;
d) a smart card reader coupled to said security engine for reading a smart card, said smart card for providing said authorization code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of controlling access to a computer system and the data contained thereof comprising:
-
a. embedding a security engine comprising a microprocessor, scratch memory and a programming circuit connected to the security engine microprocessor in the computer system motherboard;
b. storing an algorithm for generating hash numbers in the internal memory of said microprocessor;
c. embedding a plurality of enable/disable circuits, connected to the security engine microprocessor and all peripheral devices in said motherboard;
d. embedding in said motherboard a memory buffer circuit comprising a programmable device and memory means connecting said security engine microprocessor and the ISA Bus;
e. embedding in said motherboard a memory buffer circuit comprising a programmable device and memory means connecting said security engine microprocessor and the PCI Bus;
f. connecting to the security engine microprocessor a smart card system comprising a smart card reader and at least one smart card which has more than one internal memory with a first memory containing an algorithm for creating hash numbers and a second memory having space for storing inputted data and the hash numbers created by the algorithm in the first memory;
g. replacing the standard BIOS with a modified BIOS which contains software routines that allow for the set up of the security configuration of the computer system, the input of user identification data and for the security engine microprocessor to take control of the start up of the computer system;
h. replacing the standard device driver layer of the computer system with a modified device driver layer, in which the modifications comprise the prevention of the loading of device drivers unless an authorizing code is present in the internal memory of the security engine microprocessor, the interception of all read and write procedures to enable the encryption and decryption of all data, the creation of a header for all encryption and decryption procedures for application data and the creation of a header for remote identification of said computer over a network;
i. personalizing said computer system and matching smart card by storing more than one hash number generated from identification information inputted by the user into the internal memory of the security engine microprocessor and complementary hash numbers into the second memory of the smart card;
j. authenticating the identity of a user upon attempted access to said computer system;
k. controlling access to said computer and peripheral devices;
l. securing all data stored in or moving through said peripheral devices through the use of cryptographic algorithms. - View Dependent Claims (15, 16, 17, 18, 19)
a. inputting a plurality of identification data to the scratch memory of the security engine;
b. writing this data to the second memory of the smart card;
c. generating more than one hash number from the inputted identification data using the algorithm stored in the internal memory of said security engine microprocessor with the maximum key length of said algorithm determined by the key length parameter passed from said vendor card and stored in the internal memory of said security engine microprocessor;
d. burning the hash numbers to the internal memory of the security engine microprocessor using the programming circuit;
e. generating more than one hash number in the smart card using the complementary algorithm stored in the first memory using the identification data written to the second memory of the smart card;
f. writing the hash numbers to the second memory of the smart card microprocessor.
-
-
17. The method according to claim 14, wherein the authentication procedure for said computer identification and security system comprises the steps of:
-
a. checking by the security engine microprocessor, upon power on, reset or interrupt, the smart card reader for a valid smart card;
b. synchronizing communications between the security engine microprocessor and the valid smart card inserted in said smart card reader;
c. reading by the security engine microprocessor more than one hash number from the internal memory of the security engine and the complementary hash numbers from the second memory of the smart card if a valid smart card is inserted into the reader;
d. placing said hash numbers in the scratch memory of the security engine;
e. checking for a match between the security engine hash numbers and the smart card hash numbers using an authentication algorithm;
f. if a match exists, reading by the BIOS the security configuration for the computer, enabling all allowed peripheral devices, setting up cryptographic procedures for selected peripheral devices and allowing the loading of the computer operating system;
g. if a match does not exist, terminating the start up procedure.
-
-
18. The method according to claim 17, wherein the synchronization of communications between the smart card and the security engine microprocessor further comprises the use of communication keys unique to each computer and matching smart card that is generated from the hash numbers stored in the internal memory of the security engine microprocessor and the internal memory of said matching smart card.
-
19. The method according to claim 14, wherein the securing all data stored in or moving through said peripheral devices comprises the steps of:
-
a. intercepting all read or write procedures in the device driver layer;
b. creating a header in the device driver which contains all the parameters required for a cryptographic procedure;
c. sending said header through the Bus system connected to the peripheral device which is involved in the read or write operation to the memory buffer circuit connected to said Bus system;
d. reading said header and the encryption parameters stored in the memory of the security engine by the security engine microprocessor;
e. reading of data to be encrypted or decrypted from the memory means of the memory buffer circuit by the security engine microprocessor;
f. encrypting or decrypting said data and sending the altered data back to the memory means of the memory buffer circuit;
g. sending said altered data to the appropriate peripheral device.
-
-
20. A method of uniquely personalizing a computer having a modified motherboard comprising a microprocessor based security engine, Flash memory in said microprocessor, scratch memory buffer in said security engine, an algorithm for generating hash numbers in the internal memory of said microprocessor and a programming circuit connected to the security engine microprocessor;
- a modified BIOS which contains software routines that allow for the set up of the security configuration of the computer system, the input of user identification data and for the security engine microprocessor to take control of the start up of the computer system; and
a smart card system comprising a smart card reader connected to said security engine microprocessor and at least one smart card which has more than one internal memory with a first memory containing an algorithm for creating hash numbers which is a derivative of the algorithm in the security engine and a second memory having space for storing inputted data and the hash numbers created by the algorithm in the first memory;
comprising the steps of;a. inputting a plurality of identification data to the scratch memory of the security engine;
b. copying this data to the second memory of the smart card;
c. generating more than one hash number from the inputted identification data in the security engine scratch memory using the algorithm stored in the internal memory of said security engine microprocessor;
d. transferring all data from the security engine microprocessor flash memory to the memory buffer;
e. burning the hash numbers and transferred data to the flash memory of the security engine microprocessor using the programming circuit;
f. generating more than one hash number in the smart card using the algorithm stored in the first memory using the identification data copied to the second memory of the smart card;
g. writing the hash numbers to the second memory of the smart card microprocessor. - View Dependent Claims (21, 22)
a. writing the contents of the security engine flash memory to the scratch memory;
b. writing any changes made to the identification data to the identification look up table in the security engine scratch memory;
c. writing any changes made to the identification data to the Identification area of the smart card internal memory;
d. creating new hash numbers from the identification data by the smart card microprocessor;
e. generating a new communication key for the smart card from the hash numbers;
f. creating new hash numbers from the identification data by the security engine microprocessor;
g. generating a new communication key for the security engine from the hash numbers;
h. burning the contents of the scratch memory of the security engine to the flash memory.
- a modified BIOS which contains software routines that allow for the set up of the security configuration of the computer system, the input of user identification data and for the security engine microprocessor to take control of the start up of the computer system; and
-
23. A method for creating a hierarchy of subordinate computer systems in which the computer system used to create a subordinate system has access to said subordinate system, using more than one computer having a modified motherboard comprising a microprocessor based security engine, flash memory in said microprocessor, scratch memory connected to said security engine, an algorithm for generating hash numbers and an algorithm for generating a communication key in the internal memory of said microprocessor and a programming circuit connected to the security engine microprocessor;
- a modified BIOS which contains software routines that allow for the set up of the security configuration of the computer system, the input of user identification data and for the security engine microprocessor to take control of the start up of the computer system;
a smart card system comprising a smart card reader connected to said security engine microprocessor and an equal number of smart cards as computers having more than one internal memory with a first memory containing an algorithm for creating hash numbers which is a derivative of the algorithm in the security engine and a second memory having space for storing inputted data, the hash numbers created by the algorithm in the first memory and a smart card identification code, of which one smart card is identified as ‘
used’
having at least two unique hash numbers in its second memory and a second smart card is ‘
new’
with no identification data or hash numbers in its internal memory; and
at least one of said computers which contains no identification data in its security engine memory;
comprising the steps of;a. inserting said used smart card into the card reader of the computer which has no identification data in its security engine memory;
b. writing one of said smart card'"'"'s hash numbers to the scratch memory of the computer security engine;
c. creating a complement of said hash number;
d. creating a communication key from said hash number in the security engine;
e. writing said communication key to the security engine scratch memory;
f. inputting identification data to the scratch memory of the security engine;
g. inputting security configuration data to the scratch memory of the security engine;
h. creating two new hash numbers from the identification data in the scratch memory of the security engine;
i. writing the CK, two new hash numbers, and identification data and security configuration to the smart card inserted in the smart card reader;
j. ejecting the used smart card from the reader;
k. inserting a new smart card into the reader;
l. writing to said new smart card an identification code which identifies it as part of a subordinate system;
m. writing the hash number complement, identification data and security configuration to the new smart card;
n. calculating two new hash numbers, in the smart card, from the identification data;
o. creating a complement of the two hash numbers;
p. calculating a communication key from the complement of the hash number complement passed from the ‘
used’
smart card;
q. writing the complement of the new hash numbers and the complement of the hash number passed from the ‘
used’
smart card, and the communication key calculated by the new smart card to the internal memory of the new smart card;
r. writing all data in the security engine flash memory to the scratch memory;
s. burning the contents of the scratch memory to the security engine flash memory.
- a modified BIOS which contains software routines that allow for the set up of the security configuration of the computer system, the input of user identification data and for the security engine microprocessor to take control of the start up of the computer system;
-
24. A method of identifying and authenticating, over a network, a uniquely personalized computer having a modified motherboard comprising a microprocessor based security engine, flash memory in said microprocessor, a look up table of personal identification data, a secret identification number which is the same for all computers containing this invention, in said flash memory;
- scratch memory in said security engine;
an algorithm for generating hash numbers, a linear congruency function and a public key encryption algorithm in the internal memory of said microprocessor;
a modified DDL that allows for the creation of headers; and
a smart card system comprising a smart card reader connected to said security engine microprocessor and a personalized smart card which has internal memory with an Identification area for storing personal identification data and an Application area for storing external applications and an index for the location and identification codes for each application; and
a data base of personal identification data for other personalized computers comprising the steps of;a. a first personalized computer requesting identification through an application from a second personalized computer over a network comprising selected identification data from the second computer'"'"'s identification data look up table and select information from the second computer'"'"'s smart card;
b. a device driver in the second computer generating a header comprised of the identification task, the addresses of the identification parameters requested and the two byte code for any smart card application from which data is required and the location of said data;
c. sending this header to the security engine microprocessor;
d. reading of the identification data from the look up table in said security engine microprocessor flash memory;
e. reading of the identification data from the look up table of the internal memory of the smart card inserted in the smart card reader;
f. writing the retrieved identification data to the internal memory of the security engine microprocessor;
g. generating a hash number from the identification data stored in said internal memory;
h. passing said hash number through a linear congruency function using the secret identification number stored in flash memory;
i. encrypting the resultant number with the public key algorithm;
j. sending the encrypted data to the first computer;
k. the receiving application of the first computer calling a device driver to decrypt the data;
l. the device driver creating a header comprising the parameters for the decryption procedure;
m. sending this header with the encrypted data to the internal memory of the first computer'"'"'s security engine microprocessor;
n. decrypting the data using the public key algorithm stored in the flash memory of the first computer;
o. passing the resultant data through the linear congruency function to produce the hash number generated by the second computer and the secret identification number;
p. decrypting the hash number using the hash number generating algorithm stored in the flash memory of the first computer;
q. comparing the identification data with that stored in the data base;
r. confirming the identity of the second computer if the data matches.
- scratch memory in said security engine;
Specification